Threat Management, Malware, Threat Management

Microsoft’s war on illicit Cobalt Strike software is part of a new anti-ransomware front

Microsoft's war on illicit Cobalt Strike software is part of a new anti-ransomware front

Threat actors leveraging cracked versions of the penetration testing tool Cobalt Strike face new challenges as Microsoft, Fortra and the Health Information Sharing and Analysis Center (Health-ISAC) step up efforts to reduce instances of the software tool from being available for download on warez sites and the networks that host them.

Forked versions of the Cobalt Strike software have proliferated among cybercriminals and are attributed to a scourge of malware attacks. Cobalt Strike is used by security professionals to simulate an adversarial attack against a company's attack surface. The respected tool, used widely by red team security professionals, has been coopted by criminals who use the software in a growing number of cyberattacks.

"Our action focuses solely on disrupting cracked, legacy copies of Cobalt Strike and compromised Microsoft software," wrote Amy Hogan-Burney, general manager at Microsoft's Digital Crimes Unit in a blog posted Thursday outlining the effort.

As part of the effort, the companies and Health-ISAC were granted a court order on March 31 from the US District Court for the Eastern District of New York that empowers Microsoft, Fortra, and Health-ISAC to work with internet service providers and computer emergency readiness teams (CERTs) who can assist in taking the infrastructure used by cybercriminals to distribute illegal copies of Cobalt Strike offline.

“Together, we are committed to going after the cybercriminal’s illegal distribution methods,” Microsoft officials said in the announcement. “We’ll need to be persistent as we work to take down the cracked, legacy copies of Cobalt Strike hosted around the world.”

The court order, Hogan-Burney said, will boost investigation efforts that include detection, analysis, telemetry and reverse engineering. Additional data and insights will help strengthen related legal cases, she said.

Microsoft, Fortra, and Health-ISAC also said, as part of their stepped up efforts, they will be collaborating with the FBI, the National Cyber Investigative Joint Task Force and Europol’s European Cybercrime Centre on related cases.

Microsoft said older versions of the pen testing tool continue to be “abused and altered” by cybercriminals. The “cracked” or illegal copies, for example, were behind destructive attacks on the Costa Rican government and the massive attack on the Irish Health Service Executive (HSE).

A Different Approach to Curbing Ransomware Attacks

In total, the ransomware families tied to illegal copies of Cobalt Strike have been used in 68 ransomware attacks against healthcare organizations across more than 19 countries, Microsoft cited.

One example was seen with an attack against Ireland HSE. The attack resulted in over five months of network outages that led to data exfiltration, patient care delays, emergency care disruptions and appointment cancellations. The cyberattack is believed to have cost over $600 million. The attacks on other health systems using Cobalt Strike faced similar impacts to the Ireland HSE fallout.

The tactic of going after the distribution of illicit copies of the software tool is a shift from past disruption efforts that targeted malware hackers’ command and control centers. One example of that is the takedown of the Zloader botnet by Microsoft, ESET, Black Lotus Labs, Palo Alto Networks, Health-ISAC and the Financial Services-ISAC in April 2022.

Microsoft also plans to expand its legal methods for further disruption of malware and nation-state operations leveraging illegitimate software. In doing so, the team hopes to “significantly hinder the monetization of these illegal copies and slow their use in cyberattacks, forcing criminals to re-evaluate and change their tactics,” the company said.  

“While this action will impact the criminals’ immediate operations, we fully anticipate they will attempt to revive their efforts,” Hogan-Burney wrote. “Our action is therefore not one and done.” The team intends to continue its pursuit of legal and technical action “to monitor and take action to disrupt further criminal operations.”

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds